[semver:patch] DE-1133 Initial Security Checks Orb Setup (#5)

* [DE-1133] Creating security_checks command and updating documentation and examples

* [DE-1133] Creating security_checks command and updating documentation and examples

* [DE-1133] Creating security_checks command and updating documentation and examples

* [DE-1133] Readme and DS_Store cleanup

* [DE-1133] Readme cleanup

* [DE-1133] Update license

* [DE-1133] Remove bug and feature request templates

* [DE-1133] Update pull request template

* [DE-1133] Update circleci link, add a Code of Conduct

.circleci/README.md

@@ -0,0 +1,33 @@
+# Orb Development Pipeline
+
+This configuration file uses [orb-tools orb](https://circleci.com/developer/orbs/orb/circleci/orb-tools) version 10 to automatically _pack_, _test_, and _publish_ CircleCI orbs using this project structure. View the comments within the config file for a full break  down
+
+## Overview:
+
+**Imported Orbs**
+
+Both orb-tools and a development version of your orb will be imported into the config. On the first run, a `dev:alpha` development tag _must_ exist on your orb, but will be handled automatically from there on.
+
+**Jobs**
+
+In the _jobs_ key, you will define _integration tests_. These jobs will utilize the functionality of your orb at run-time and attempt to validate their usage with live examples. Integration tests can be an excellent way of determining issues with parameters and run-time execution.
+
+### Workflows
+
+There are two workflows which automate the pack, test, and publishing process.
+
+**test-pack**
+
+This is the first of the two workflows run. This workflow is responsible for any testing or prepping prior to integration tests. This is where linting occurs, shellchecking, BATS tests, or anything else that can be be tested without the need for further credentials.
+
+This Workflow will be placed on _hold_ prior to publishing a new development version of the orb (based on this commit), as this step requires access to specific publishing credentials.
+
+This allows users to fork the orb repository and begin the pipeline, while the code-owners review that the code is safe to test in an environment where publishing keys will be present.
+
+Once approved, the development version of the orb will publish and the _trigger-integration-tests-workflow_ job will run, kicking off the next workflow
+
+**integration-test_deploy**
+
+The second and final workflow is manually triggered by the _trigger-integration-tests-workflow_ job. In this run, the development version of the orb that was just published will be imported, and the integration tests will run.
+
+When running on the `master` branch (after merging to `master`), the workflow will additionally publish your new production orb.

.circleci/config.yml

@@ -1,13 +1,90 @@
-# Use the latest 2.1 version of CircleCI pipeline process engine. See: https://circleci.com/docs/2.0/configuration-reference
 version: 2.1
-# Use a package of configuration called an orb.
+
 orbs:
-  # Declare a dependency on the welcome-orb
-  welcome: circleci/[email protected]
-# Orchestrate or schedule a set of jobs
+  civis-integrations-sdk-security: civisanalytics/civis-integrations-sdk-security-orb@<<pipeline.parameters.dev-orb-version>>
+  orb-tools: circleci/[email protected]
+  shellcheck: circleci/[email protected]
+
+# Pipeline Parameters
+## These parameters are used internally by orb-tools. Skip to the Jobs section.
+parameters:
+  run-integration-tests:
+    description: An internal flag to prevent integration test from running before a development version has been created.
+    type: boolean
+    default: false
+  dev-orb-version:
+    description: >
+      The development version of the orb to test.
+      This value is automatically adjusted by the "trigger-integration-tests-workflow" job to correspond with the specific version created by the commit and should not be edited.
+      A "dev:alpha" version must exist for the initial pipeline run.
+    type: string
+    default: "dev:alpha"
+
+jobs:
+  # Define one or more jobs which will utilize your orb's commands and parameters to validate your changes.
+  integration-test-1:
+    docker:
+      - image: cimg/base:stable
+    steps:
+      - checkout
+
 workflows:
-  # Name the workflow "welcome"
-  welcome:
-    # Run the welcome/run job in its own container
+  # Prior to producing a development orb (which requires credentials) basic validation, linting, and even unit testing can be performed.
+  # This workflow will run on every commit
+  test-pack:
+    unless: << pipeline.parameters.run-integration-tests >>
     jobs:
-      - welcome/run
+      - orb-tools/lint # Lint Yaml files
+      - orb-tools/pack # Pack orb source
+      - shellcheck/check:
+          dir: ./src/scripts
+          exclude: SC2148
+      # Publish development version(s) of the orb.
+      - orb-tools/publish-dev:
+          orb-name: civisanalytics/civis-integrations-sdk-security-orb
+          # Must be a context stored at https://app.circleci.com/settings/organization/github/civisanalytics/contexts
+          context: civis-integrations-sdk-security-orb
+          requires:
+            - orb-tools/lint
+            - orb-tools/pack
+            - shellcheck/check
+      # Trigger an integration workflow to test the
+      # dev:${CIRCLE_SHA1:0:7} version of your orb
+      - orb-tools/trigger-integration-tests-workflow:
+          name: trigger-integration-dev
+          context: civis-integrations-sdk-security-orb
+          requires:
+            - orb-tools/publish-dev
+
+  # This `integration-test_deploy` workflow will only run
+  # when the run-integration-tests pipeline parameter is set to true.
+  # It is meant to be triggered by the "trigger-integration-tests-workflow"
+  # job, and run tests on <your orb>@dev:${CIRCLE_SHA1:0:7}.
+  integration-test_deploy:
+    when: << pipeline.parameters.run-integration-tests >>
+    jobs:
+      # Run any integration tests defined within the `jobs` key.
+      - integration-test-1
+      # Publish a semver version of the orb. relies on
+      # the commit subject containing the text "[semver:patch|minor|major|skip]"
+      # as that will determine whether a patch, minor or major
+      # version will be published or if publishing should
+      # be skipped.
+      # e.g. [semver:patch] will cause a patch version to be published.
+      - orb-tools/dev-promote-prod-from-commit-subject:
+          orb-name: civisanalytics/civis-integrations-sdk-security-orb
+          context: civis-integrations-sdk-security-orb
+          add-pr-comment: true
+          fail-if-semver-not-indicated: true
+          publish-version-tag: true
+          requires:
+            - integration-test-1
+          filters:
+            branches:
+              # Any PR *to* one of these branches should trigger a production release.
+              # Assuming both the commit and PR are tagged appropriately (l.e. [semver:patch], etc.)
+              # See https://circleci.com/docs/2.0/creating-orbs/#issue-a-new-release
+              only:
+                - master
+                - main
+                - de1133_initial_orb_setup

.github/PULL_REQUEST_TEMPLATE/PULL_REQUEST.md

@@ -0,0 +1,37 @@
+
+**SEMVER Update Type:**
+- [ ] Major
+- [ ] Minor
+- [ ] Patch
+
+## Description:
+
+<!---
+  Describe your changes in detail, preferably in an imperative mood,
+  i.e., "add `commandA` to `jobB`"
+ -->
+
+## Motivation:
+
+<!---
+  Share any open issues this PR references or otherwise describe the motivation to submit this pull request.
+ -->
+
+ **Closes Issues:**
+-  ISSUE URL
+
+## Checklist:
+
+<!--
+	Thank you for contributing to CircleCI Orbs!
+	before submitting your a request, please go through the following
+	items and place an x in the [ ] if they have been completed
+-->
+
+- [ ] All new jobs, commands, executors, parameters have descriptions.
+- [ ] Security: This has security implications.
+  - [ ] This PR does not require security review. These changes are part of a project plan that has already undergone security review. The link is provided below.
+  - [ ] This PR requires security review. The `security` label is attached to this PR and a review from `Security Team` will be requested.
+- [ ] Testing: How did you test this change (unit tests, acceptance tests, etc.)? Did you do any manual testing?
+- [ ] Usage Example version numbers have been updated.
+- [ ] Changelog has been updated.

.gitignore

@@ -0,0 +1,7 @@
+# orb.yml is "packed" from source, and not published directly from the repository.
+orb.yml
+
+# Other
+.DS_Store
+*.DS_Store
+.idea

.yamllint

@@ -0,0 +1,7 @@
+extends: relaxed
+
+rules:
+    line-length:
+        max: 200
+        allow-non-breakable-inline-mappings: true
+

CHANGELOG.md

@@ -0,0 +1,17 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+
+## [1.0.1] - 2021-05-07
+### Added
+ - Initial release, consists of a security_checks command which runs flake8, safety, and bandit.
+ - Clean up generic documentation, CHANGELOG, and README files to be specific to this project.
+ - Starting at 1.0.1 to align with CircleCI version, moving forward.
+
+
+[1.0.1]: GITHUB TAG URL

CODE_OF_CONDUCT.md

@@ -0,0 +1,50 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting a project maintainer at [email protected].
+All complaints will be reviewed and investigated and will result in a response
+that is deemed necessary and appropriate to the circumstances. Maintainers are
+obligated to maintain confidentiality with regard to the reporter of an
+incident.
+
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2021, Civis Analytics
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -1,2 +1,36 @@
-# civis-integrations-sdk-security-orb
-A CircleCI orb with some common security checks for Python repositories.
+# Orb Project Template
+<!---
+[![CircleCI Build Status](https://circleci.com/gh/<organization>/<project-name>.svg?style=shield "CircleCI Build Status")](https://circleci.com/gh/<organization>/<project-name>) [![CircleCI Orb Version](https://badges.circleci.com/orbs/<namespace>/<orb-name>)](https://circleci.com/orbs/registry/orb/<namespace>/<orb-name>) [![GitHub License](https://img.shields.io/badge/license-MIT-lightgrey.svg)](https://raw.githubusercontent.com/<organization>/<project-name>/master/LICENSE) [![CircleCI Community](https://img.shields.io/badge/community-CircleCI%20Discuss-343434.svg)](https://discuss.circleci.com/c/ecosystem/orbs)
+
+--->
+
+This repo contains an orb with security checks that we wish to include on all future civis-integrations-sdk repositores.
+
+Additional READMEs are available in each directory.
+
+
+## Resources
+
+[CircleCI Orb Registry Page](https://circleci.com/orbs/registry/orb/civisanalytics/civis-integrations-sdk-security-orb) - The official registry page of this orb for all versions, executors, commands, and jobs described.
+[CircleCI Orb Docs](https://circleci.com/docs/2.0/orb-intro/#section=configuration) - Docs for using and creating CircleCI Orbs.
+
+### How to Publish
+* Create and push a branch with your new features.
+* When ready to publish a new production version, create a Pull Request from _feature branch_ to `main`.
+* The title of the pull request must contain a special semver tag: `[semver:<segement>]` where `<segment>` is replaced by one of the following values.
+
+| Increment | Description|
+| ----------| -----------|
+| major     | Issue a 1.0.0 incremented release|
+| minor     | Issue a x.1.0 incremented release|
+| patch     | Issue a x.x.1 incremented release|
+| skip      | Do not issue a release|
+
+Example: `[semver:major]`
+
+* Squash and merge. Ensure the semver tag is preserved and entered as a part of the commit message.
+* On merge, after manual approval, the orb will automatically be published to the Orb Registry.
+
+
+For further questions/comments about this or other orbs, visit the Orb Category of [CircleCI Discuss](https://discuss.circleci.com/c/orbs).
+

src/@orb.yml

@@ -0,0 +1,8 @@
+version: 2.1
+
+description: >
+  An orb to standardize security checks for Civis circleCI pipelines
+
+# This information will be displayed in the orb registry and is not mandatory.
+display:
+  source_url: "https://www.github.com/civisanalytics/civis-integrations-sdk-security-orb"

src/README.md

@@ -0,0 +1,26 @@
+# Orb Source
+
+Orbs are shipped as individual `orb.yml` files, however, to make development easier, it is possible to author an orb in _unpacked_ form, which can be _packed_ with the CircleCI CLI and published.
+
+The default `.circleci/config.yml` file contains the configuration code needed to automatically pack, test, and deploy and changes made to the contents of the orb source in this directory.
+
+## @orb.yml
+
+This is the entry point for our orb "tree", which becomes our `orb.yml` file later.
+
+Within the `@orb.yml` we generally specify 4 configuration keys
+
+**Keys**
+
+1. **version**
+    Specify version 2.1 for orb-compatible configuration `version: 2.1`
+2. **description**
+    Give your orb a description. Shown within the CLI and orb registry
+3. **display**
+    Specify the `home_url` referencing documentation or product URL, and `source_url` linking to the orb's source repository.
+4. **orbs**
+    (optional) Some orbs may depend on other orbs. Import them here.
+
+## See:
+ - [Orb Author Intro](https://circleci.com/docs/2.0/orb-author-intro/#section=configuration)
+ - [Reusable Configuration](https://circleci.com/docs/2.0/reusing-config)

src/commands/README.md

@@ -0,0 +1,10 @@
+# Commands
+
+Easily add and author [Reusable Commands](https://circleci.com/docs/2.0/reusing-config/#authoring-reusable-commands) to the `src/commands` directory.
+
+Each _YAML_ file within this directory will be treated as an orb command, with a name which matches its filename.
+
+
+## See:
+ - [Orb Author Intro](https://circleci.com/docs/2.0/orb-author-intro/#section=configuration)
+ - [How to author commands](https://circleci.com/docs/2.0/reusing-config/#authoring-reusable-commands)